Facebook slapped with privacy audits

Regulators intend to slap Facebook with two decades of independent privacy audits and other penalties for misleading consumers about the means by which the social giant collects and shares its more than 800 million users' personal information.

The proposed sanctions by the Federal Trade Commission, announced Tuesday, fault Facebook for “repeatedly” making some users' data public, according to the agency. The lapses, the FTC said, occurred as a result of changes to Facebook's privacy policy, inadequate privacy protections by its third-party app-makers and the social giant's broken promises about the information it shares with advertisers.

Story Continued Below

It's a landmark settlement for the FTC and a critical development for Facebook, which has come under intense scrutiny about its privacy policies around the world as it prepares a potential initial public offering in 2012. Failure by Facebook to meet the terms of the settlement could subject the company to steep fines.

"Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users," FTC Chairman Jon Leibowitz said. "Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not."

Facebook founder Mark Zuckerberg replied to many of the charges in a blog post Tuesday, noting work the company has done to address lingering privacy concerns and address some of the issues raised by the FTC.

"For Facebook, this means we're making a clear and formal long-term commitment to do the things we've always tried to do and planned to keep doing — giving you tools to control who can see your information and then making sure only those people you intend can see it," he said, adding similar settlements already exist with Twitter and Google.

Zuckerberg also promised to create "two new corporate officer roles" to tackle privacy, though one of the new hires in Washington has already been announced.

The package of penalties announced Tuesday settles an investigation that came partly at the behest of the Electronic Privacy Information Center and other privacy watchdog groups. Those stakeholders faulted the company for changes to its system in 2009 that made some users' sensitive information — such as their names, photos and other details — public by default.

But the FTC complaint details eight instances spread across a long timeline in which Facebook failed to protect users' data.

The FTC alleges that "Facebook represented that third-party apps that users installed would have access only to user information that they needed to operate." But the FTC found those apps took far more data. In other instances, personal information that Facebook said was visible to "friends only" had been shared with third party apps the user's friend may have installed.

The "Verified Apps" program maintained by Facebook proved insecure, the FTC found, and users who deactivated or deleted their accounts thinking their data was inaccessible found that Facebook "allowed access to the content."

Moreover, the FTC charged Facebook with sharing personal information with advertisers. According to a top FTC lawyer, users who clicked on an ad often had the unique number identifying their profile passed off to the advertising company. That gave the third party advertiser the ability to combine the user ID with other information on their own profiles, according to the complaint. Facebook, however, has since revised its ad system.

The settlement also faults Facebook for failing to comply with the U.S.-EU Safe Harbor Agreement, a transatlantic privacy framework.

The proposed settlement requires Facebook to submit to independent privacy audits every other year for 20 years. It also prevents the social network from misrepresenting its privacy and security settings. That latter provision is written in an intentionally broad way, FTC officials said on a call Tuesday, and could cover other instances of deception even in areas not explicitly covered by the agency’s settlement.

It also must "obtain consumers' affirmative express consent before enacting changes that override their privacy preferences," according to the FTC.

Facebook is further required to implement a comprehensive privacy policy and prevent "anyone from accessing a user's material no more than 30 days" after an account is shut down.

The settlement requires a final vote by the FTC's commissioners to enter effect. A public comment period on the settlement ends Dec. 30.

This article first appeared on POLITICO Pro at 1:20 p.m. on November 29, 2011.